Cyware Weekly Cyber Threat Intelligence February 26 - March 02, 2018

The Good

• The U.S. Cyber Command is looking forward towards an analytics solution housed under a contract called RAINFIRE. The command issued a request for information to gain  insights on joint analytics support capabilities. The analytics solution is poised to serve the Capabilities Development Group and further  integrate with different collaborative IT initiatives. The overall purpose is to support the cyber warfighters employed by the Department of Defense.
• Researchers from the leading institutes of MIT and Harvard have come up with a new system that is tasked to improve the privacy in private browsing. The system has been named Veil and provides enhanced protection to the people sharing their computers with other people at different public or private venues like offices, hotels, business centers and even university computer centers. The new system can be integrated with the existing private-browsing systems and anonymity networks.

The Bad

• Earlier this week, the US Marine Corps Force Reserve was at the receiving end of a major data breach that lead to the disclosure of sensitive information of over 21,000 Marines, sailors and civilians. The data breach occurred due to accidental exposure in an unencrypted email. The DoD’s Defense Travel System (DTS) sent an email, to a wrong distribution list, that included an attachment containing the sensitive information related to the affected people.
• The famous web-based hosting service GitHub suffered a massive 1.35 Tbps Denial of Service attack this week. GitHub got clogged and went down multiple times this week until the humongous traffic was moved to Akamai, the cloud computing company that was tasked to provide protection from such attacks. As per security analysts, such attacks would become the new normal in coming times.
• The infamous Equifax breach is still throwing up with new revelations. This week, the company discovered that additional 2.4 million U.S consumers that were affected by the cyber attack. As of now the total count of the affected has totaled to 147 million. In the newly discovered breach, the victims were found to have their sensitive details like names and partial driver’s license information stolen. The good news was that the hackers could not get their hands on their Social Security numbers.
• Security researchers have discovered a massive trove to data that was exposed due to an unprotected Amazon Web Services S3 bucket. The breach affects the company named Birst, a Cloud Business Intelligence and Analytics firm. The exposed database is 50.4 GB worth of data of one of Birst’s users Capital One, a McLean, Virginia based financial services giant and eighth-largest commercial bank in the United States. The leaked data contained technical information on Birst appliance specially configured for Capital One’s cyberinfrastructure.

New Threats

• Researchers have discovered a new Remote Access Trojan (RAT) that has been written entirely in Python. The trojan is tasked to perform highly targeted attacks. Dubbed CannibalRAT, the trojan displays the signs of code cannibalization. Two variants of the trojan have been found with both of them having unsophisticated RAT capabilities. One of the versions of the trojan targeted the users of a Brazilian public sector management school.
• There has been a big shift in the threat landscape with hackers preferring crypto miners over ransomware in the late last season. However, new families of ransomware are still being discovered. This week, the security researchers found a new ransomware family dubbed Thanatos. When encrypting files on a computer, the malware appends the .THANATOS extension to them. After completing the encryption, the malware connects to a specific URL to report back, thus allowing attackers to keep track of the number of infected victims.
• The hackers are delivering GandCrab ransomware using a new method. Although, the decryption key for this ransomware has already been released, but hackers are still not willing to yield. Now, they are using EITest to distribute GandCrab ransomware as part of HoeflerText Font Update scam. This social engineering scam scrambles the text of a hacked site when a visitor reaches it through a search engine. The JavaScript then issues an alert stating that the scrambled text was due to a browser font not being found and that a user should download and install a browser Font Pack to fix the problem.
• A new vulnerability in Adobe ReaderDC was found that if exploited could lead to arbitrary code execution. Since Adobe ReaderDC allows embedded Javascript scripts in the PDF, a hacker gains the potential ability to precisely manipulate the memory layout and create an additional attack surface. As per the security researchers “A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044”.